I will continue my endeavour started yesterday (read all about it HERE). Before analyzing some of the cases from the EDPS 2010 Report, I shoul mention that in 10 cases resolved in 2010 the EDPS found there was no breach of data protection rules, while in 11 cases non-compliance with data protection law was found to have occured (and reccommendations were addressed to the data controler concerned).
Here are the cases, just as they are explained in the EDPS 2010 Activity Report:
1. Acces to one’s own medical file. The EDPS received a complaint relating to access to one’s own medical file held by an institution’s medical service. The EDPS confirmed that under the data protection rules, access to personal data does not oblige the controller to send the original medical file, but that it implied in practice being able to have a look at it (in person or in certain cases indirectly via a doctor) and/or take copies of it. With regard to the right to rectification of inaccurate or incomplete data, the EDPS underlined that the obligation to rectify data in the context of medical data is related only to factual data and not to health related assessments. The controller is therefore not obliged under data protection rules to modify the conclusion of a specific medical report. In such a context, the right to rectify the data could result in the possibility to include another report from another medical professional containing a different assessment. The EDPS therefore concluded in this case that there was no breach to data protection rules.
1. Publication of personal sensitive data. A complaint was received about the publication of highly sensitive personal data in the Official Journal of the European Union and in the minutes of a European Parliament session. Following an inquiry into the matter, the EDPS concluded that the opinion of the Member of Parliament could have been expressed and the political message of the Written declaration could have been transmitted effectively without revealing the identities of the persons concerned. The EDPS requested the deletion of the names of the persons invoked by the Member in the Written declaration and in any other medium. He also requested that a formal and effective procedure be established in order to ensure that definitive versions of documents published in the Official Journal and on the internet site of the Parliament take into account modifications introduced by the services in charge of the preparation of documents.
2. Communication of personnel numbers through an agency’s internal e-mail. A complaint was received relating to the communication of personnel numbers of the members of staff of an agency to all users via the agency’s internal email addresses. The purpose of the particular processing was to invite all members of staff for an appointment with the agency’s Security section to have their photograph taken. The EDPS considered that, for this purpose it was fully sufficient to send a list containing only last name and first name of all the persons concerned. The personnel number on this list was irrelevant and excessive in relation to the said purpose and thus in violation of Article 4 of the Regulation. The EDPS invited the agency to formally instruct staff dealing with personal data to be selective and exercise particular care when sending massive internal or external mailings containing personal data so as to ensure that only data which are necessary for the purpose of the message are included.
3. Covert video surveillance. A staff member complained against covert video surveillance in his institution. In particular, he questioned the lawfulness of the use of a video camera which recorded him, without his knowledge, when he entered his supervisor’s office in his absence. The EDPS concluded that the institution had not demonstrated the existence of a legal basis which would explicitly allow the possibility of such highly intrusive operations and provide for specific conditions and safeguards. Without such a transparent legal basis and a structured approach, the proportionality of covert video surveillance was doubtful. The EDPS, therefore, called on the institution to re examine whether it wished to avail itself of covert surveillance in the future and if so, to submit its plans to the EDPS for prior checking.
In conclusion, data protection complaints to an authority such as the EDPS vary as much as the general subject matter of data protection. Whether people don’t have access to their personal information, whether their sensitive data is published or whtether they are being surveilled in an office without knowing, they feel like their privacy is being invaded and they want to react somehow. Nevertheless, it is clear that the right to data protection is not an absolute one. In case I.1. from above, the individual did not have the right to simply modify data concerning his health, even though the modification was meant for his own medical file. Health is a sensitive subject matter and keeping track of one’s medical condition is important, even though the medical condition changed. It would be interesting to know more facts from this particular case to analyze in depth this limit of the right to data protection.